A few years ago Alex Hutton coined the term Security Mendoza Line. It was in reference to Mario Mendoza the baseball player often used as a baseline for how well a player must hit in order to stay in the major leagues and not be demoted. Keeping up with the attacks automated within Metasploit can […]
Read moreWhy technology and process don’t solve the problem alone and how to make security part of the normal pattern of behaviour for your organization. Instead of assuming that “humans are the weakest link” this talk will show how to make people the first line of defence and make them an asset, instead of a liability.
Read morePreparation, Identification, Containment, Eradication, Recovery and Follow-up are nice to say and do – but how does one actually investigate an incident. Jason has been working on a methodology for the past 4 years while being exposed to incidents in a high value institution. In an effort to continue fine tune, Jason wants to present […]
Read moreThis presentation will discuss the options available to automate the conduct of vulnerability assessment and penetration testing engagements, and the reporting processes. The most important parts of running a security test are following a consistent methodology, utilizing the appropriate tools and their configuration, data management, getting accurate results, manual validation, and standardized reporting. The goal […]
Read moreCubical warfare is currently in an up raise. One Nerf gun can cause an arms race escalating beyond current weaponry either from common concept of High Performance Culture, to downright nastiness of co-workers. My goal is to educate attendees to take normal run-of-the-mill soft dart weapons, and make them into weapons of mass pain. Topics […]
Read moreThis talk will explain disc detainer locks from their basic function to the highest security models. We will examine their emergence in various world markets, particularly their recent emergence in the North America. Schuyler will demonstrate known vulnerabilities from picking, to impressioning to low-cost key duplication. The goal of this talk is to introduce audience […]
Read moreAmbiguities in the PDF specification means that no two PDF parsers will see a file in the same way. This leads to many opportunities for exploit obfuscation. PDFs are currently the greatest vector for drive-by (malware installing) attacks and targeted attacks on business and government. A/V technology is extraordinarily poor at detecting these. [Well except […]
Read more64-bit malware are coming! 64-bit malware are coming! I’ve been repeating this for the last 2 years; it’s not tinfoil hat talk anymore. With 64-bit packers and protectors being released, there is presently a growing need to create new tools to facilitate the manual unpacking process for malware analysis and to make it as trivial […]
Read moreWe continually are asked “Does your product work with VPN X?”. This is the wrong question. The right question is whether any product on your network supports the authentication protocol you have chosen as a standard. Once you decide on a standard, the world opens up to you. Specifically, the world of open source software. […]
Read moreWe’ve all heard talks where we nodded in agreement with the speaker when he or she launched into jargon we didn’t comprehend. In this talk Jack, assisted by sock puppets, will explain common cloud computing terminology and discuss some common misconceptions about cloud computing.
Read moreThis toolset attempts to provide a easy to use U3 drive to gather forensic data from a windows computer. The entire toolset is located on the read-only portion of the U3 drive, and reports are writen to the writeable portion.
Read moreWell-known web applications are used for many purposes such as blogging, forums, e-commerce, database management, email and myriad others. Vulnerabilities in these applications (and their plugins) are discovered at an accelerated rate and are abused for site defacement and increasingly to serve malware. Website administrators need to keep track of the versions of these web […]
Read moreProprietary protocols are commonly used in industrial environments and are hard to fuzz. Often, one product like a railway control centre communicates over more than 10 proprietary protocols. Usually, external attackers do not have the specifications of the protocols to write suitable fuzzers. The same applies to internal penetration testers. Even with the specifications, time […]
Read more